Safety calls for Security

Safety Engineering Services, EDAG Production Solutions

In its current report on IT security in Germany, the Federal Office for Information Security rates the hazard for industrial control systems as high. This evaluation is reinforced by the analysis of the Honeynet project, in which TÜV Süd indicates that access has been gained to the virtual infrastructure of a waterworks.

Some of the estimated 60,000 external access attempts were made explicitly via industrial protocols such as Modbus TCP und S7Comm. This shows that cyber criminals make targeted attacks on networked industrial automation systems.

The hazard to industrial plants increases, as these are more and more frequently connected with the Internet or other systems attached to the Internet. This networking makes cyber attacks on them much easier and increases the probability of their occurring. If the intruders succeed, they can steal data and manipulate, damage or even destroy the systems. Apart from these obvious consequences, attacks of this type can also impact functional safety. If the systems are corrupted from outside, the risk reduction offered by functional safety no longer works. The system is unsafe and employees can be at risk. Safety calls for security.

Statutory provisions exist

Statutory requirements to observe the interface between safety and security already exist. In the European economic area, the minimum requirements for machinery and system safety are defined in the machinery directive. Many of the industrial automation systems fall within its scope. According to the directive, control systems must be able to withstand the expected operational stress and outside influences. In the security sector, a cyber attack is explicitly identified as external influence.

Many systems and production plants are not originally designed to be networked, but in many cases, this step is subsequently taken as part of Industry 4.0. After a conversion of this type has been carried out, it is necessary to check whether functional safety requirements are still met. The networking of installations is, after all, a significant modification of the system. The Federal Ministry of Labour and Social Affairs has issued an interpretation paper on this subject. If the risk of cyber attacks is increased on account of networking, then according to the Ministry, the existing safety measures must be capable of reducing the risk again to a tolerable level. If they are insufficient for this purpose, new safety precautions must be adopted. With many systems, this is necessary as safety technology is either absent or obsolete.

Further, the Ordinance for Industrial Safety and Health requires operators of industrial automation systems to prepare and then regularly check a risk assessment for each workplace. If safety-relevant amendments are made to systems, and connection to the Internet falls in this category, an update is necessary – in order to be better able to resist cyber attacks.

The interface between safety and security

There are currently no standards that specifically deal with the interface between safety and security. Nevertheless, it is still advisable to carry out a corresponding evaluation using existing IT security standards. The adjusted process serves as the basis for the handling of security risks in accordance with ISO 27005. The protection targets integrity, availability and confidentiality are to be taken into account at all stages. In the event of irregularities in communication, for instance, most systems have a function that puts an installation into a safe state. In terms of hazard prevention, then, availability is still given in the event of a communication breakdown. To guarantee confidentiality, users must be authenticated beyond any doubt. This is already being implemented by some manufacturers of safe control systems. The standard ISO 13849 also makes similar - though rudimentary - demands with regard to software-based parametrisation.

Further, risk and hazard assessments that have already been carried out should be analysed, and notice taken of any functional safety aspects they contain. The control components identified in the process are useful for determining the area of application, the hazardous areas of which are classified on the basis of the standards in IEC 62443. As a result, interfaces and relevant components can be clearly recorded. For the security risk assessment, for example, the performance level calculated according to ISO 13849 is useful, because this enables potential violations – and therefore risks – to be evaluated immediately. Risk handling must ensure that the functional safety and security measures do not interfere with each other. Both safety and security factors must be taken into account when defining risk acceptance. This approach applies only to the networking of finished components such as safe controls, sensors and actuators. The development of the embedded hardware and software requires all-round consideration – ideally, security already plays a role in the planning.

Often, the manufacturers and system integrators of industrial automation systems and components do not know which IT infrastructure their products are to be integrated into. It is therefore difficult for them to perform a detailed analysis of connections to external systems. However, adequate documentation of known weak spots does help the operator to regularly check interaction with the office IT, for example. This is necessary because the threat is continually changing and new weak spots are continually being discovered in software and hardware components.

Safety needs security

Manufacturers, system integrators and production plant operators should take the threat to functional safety due to cyber attacks seriously, and take appropriate steps now. Ideally, all the parties concerned already work together at the planning stage, to guarantee optimum protection. The tools necessary for developing a suitable process are already available. Functional safety without security should soon be a thing of the past.